fjh: how would I assign permissions
... I might want to receive from someone I did not anticipate

dom: it is about the application, not the user
... I agree that we need to decide on defining up front or not
... we need use cases for messaging where we can define a proper security model

<darobin> +1 to knowing what it is we want to do with messaging in the first place

<Zakim> fjh, you wanted to ask about use case

<AnssiK> Mozilla released their Open Web Apps platform I think yesterday, they'reeyeing at "Permissions for Device API Access" spec and might have good feedback based on impl experiences: https://apps.mozillalabs.com/web_or_native.html

AnssiK: openwebapps platform is attacking similar problems
... they are stating that they are looking into permissions for device API
... who would be a good mozilla contact
... we should get feedback from people implementing stuff

dom: we want to have idea of how to address issues raised at f2f
... some of the issues are fundamental
... before issuing document we need to understand that some issues are not addressable
... we need to

darobin: this might provide a path toward solution
... but I'm not a security expert

<richt> +1 agree with Robin but not too sure on the CSP connection :/

dom: CSP may help solve some of problem but cannot

<fjh> dom: CSP is server side, so not enough for client-side API

dom: use is as a security argument in API

darobin: soluitons will come from broader options

<darobin> +1 to not doing anything new

AnssiK: we should not do anything that has not been done before
... let's not open can of worms
... so let's use, for example, fileinput, rather than obscure way for user input
... if we use general mechanisms that have been tested, we are safer

darobin: agree not to invent new input methods

richt: looked only briefly at it
... idea is to go straight to trusted events
... talks about synthesized events and how they can be mitigated
... but I still need to put some language into the contact spec